⚠️ Pracivo Security Lab — SSRF in webhook, XXE in XML upload, Open Redirect in login, CORS on API.
Welcome to AcmeCorp Developer Portal
Use the navigation above to explore the vulnerable endpoints:
- /webhook — SSRF: make the server fetch any URL you give it
- /xml-upload — XXE: inject external entities in XML to read server files
- /redirect?next= — Open Redirect: redirect users to any site
- /discount — Business Logic: apply negative discounts
- /api/user — CORS: any origin can read this API response